Skip to main content

Dear Sir,


   sorry for my english.


my environment has 2 server.


Server1 (si1devmoss01 with devk2service account)


Window 2008 R2 Standard. IIS 7.5


K2 blackpearl 0807 (4.8210.3.0)


Server2 (si2devmoss02 with devsqlservice account)


Window 2008 R2 Standard. IIS 7.5


MSSQL 2008 with reporting service


 


   When I setup compIete (everything such as k2workpace,all spn,reporting service etc.) . I have a problem when I view the process overview from remote computer, it always show "The request failed with HTTP status 401: Unauthorized."  but if i view on server1 (si1devmoss01) ,it can view normally. 


images by free.in.th


I try to investigate by open the console. i found out that it use only NTLM for authenticate.
images by free.in.th



I try to test by use "specific user" instad of "pass through authentication" on  K2 Workspace Site in IIS. it can view the report normally and using keberos for authentication. I guess that this problem may be come from  "pass through authentication" not success.


images by free.in.th
Thanks: ฝากรูป




images by free.in.th


 This picture below is SPN for K2 service and MSSQL Reporting service.


images by free.in.th



Could you please advice me to fixed this problem?


Thank you in advance.


 

IMHO 401: Unauthorised pretty much always points to a Kerberos problem.


As you've noted, the reason you can access the Workspace correctly is that it's using NTLM when you are logged onto si1devmoss01 or explicitly specify the username and password.  The problem is when you are trying to authenticate using Kerberos.


First, check that the Workspace site is added to the Local Intranet zone in Internet Explorer.  It must be in this zone for Kerberos to work.  If necessary, update the Group Policy to add the site to the Local Intranet zone for all domain users.


Secondly, ensure that the service account have delegation configured correctly within Active Directory.  You don't need to use constrained delegation, just ensure that the accounts are set to "Trust this user for delegation to any service (Kerberos only)".


If this doesn't fix your problem, install a protocal analyser like Fiddler on a PC and look at the requests and responses being generated when you attempt to access the Workspace site.  You should see a Kerberos token being passed back following a 401 response from the server.


Post back with the results.  Hope this helps.

Correction: Kerberos works in both the Local Intranet and Trusted Sites zones.


Sorry about any potential confusion.

Just a thought.  It might also be a good idea to upgrade to 4.5v1290 as this includes the new K2 pass-through authentication feature.   This helps to get around the need for configuring Kerberos delegation.

Thank you for your message.


I have done it already by your advice but I still get the same error, "The request failed with HTTP status 401: Unauthorized"


I can't update to K2 4.5 because my company don't have a update plan in this time.


 


images by free.in.th
Thanks: ฝากรูป


images by free.in.th
Thanks: ฝากรูป images by free.in.th


 


some picture from Fiddler Program



Thanks: ฝากรูป


images by free.in.th



images by free.in.th
Thanks: ฝากรูป

Your configuration looks okay but there's too much going on in those Fiddler logs for me to follow properly.  The biggest problem shown in these seems to be a series of HTTP 404 File not found errors.


Can you please clear all sessions: Edit > Remove > All Sessions.  Then invoke a request, and post back the contents of the Raw tabs for the HTTP 200 responses immediately following the first HTTP 401 response.

Thank you!  Davc for your message. I have already capture the picture of HTTP 200.


if you would like to get more information,  Please post your message i will response to you as soon as posible.


Thank you for your help in advance.


images by free.in.th
Thanks: ฝากรูป

Okay, well it looks like a Kerberos token is being passed to the Workspace site which is good.


Can you please confirm that you can get to the Reporting Services site when you browse to it directly - usually http://server:port/Reports/Pages/Folder.aspx?


I'm wondering if permissions are set up on Reporting Services correctly.

Davec , Thank you for your message.


 the picture below is the permissions on Reporting Service. When I try to open report, it call back with keberos . However, it don't show the workflow that i deployed for test if i open directly on report server. but if i open on k2 workspace on K2server (si1devmoss01) it show correctly.


 


images by free.in.th
Thanks: ฝากรูป


images by free.in.th
Thanks: ฝากรูป

Reviewing your SPNs from the first post, it appears you don't have one for the MS SQL Service.  Try creating one for your SQL account:


MSSQLSvc/server.domain.com:1433

Otherwise this blog post has some great tips on solving Kerberos issues:


http://blogs.inetium.com/blogs/jdevries/archive/2006/04/21/more-on-kerberos-and-delegation-troubleshooting.aspx


Good day,


What happens when you switch the delegation for devK2Service to constrained delegation with protocol transition. Then click on " Add" and search for the DevK2Service account. Select all and clink on add again. Seeing that K2 workspace and the K2 Blackpearl server is running on the same server, this might help. Also search for the devSQLservice account, then select the value and click on Add. You should see 4 entries in the list for the DevK2Service account.


Let me know if this helped.


Regards,


Coenie

Thank you so much for all message. I will try to test all solution and reply to you as soon as posible.


 


 

Reply


View our Community Site Map

Nintex Community Sitemap
Terms & ConditionsCookie settings